Security Update: Movable Type 5.12, 5.06, and 4.37 Released

If you are running Movable Type and you have users on your system you can't completely trust, you urgently need to update to the latest version, says Six Apart in an announcement this morning. They specifically mention that this release fixes an issue where:

Under certain circumstances, a user who has "Create Entries" or "Manage Blog" pemissions may be able to read known files on the local file system.

That is bad, as it would allow a potential attacker to read things like configuration files etc. which may contain passwords or other sensitive information.

However, if you are the only author on the system and you haven't set up Movable Type to allow newly registered users to get these permissions anywhere, you should be pretty safe it seems.

This link does not work for me, but I believe it is a reference to this issue discussed on the forums recently. In short, entries that had double dashes in their title were getting a different published URL under MT5.11, and this change seems to have been reverted in MT 5.12.